SECURITY: protect upload params, only allow very strict filenames

2025-06-24 00:41:33 +08:00 · 2016-12-19 10:16:18 +11:00
parent 8a461e6283
commit 402f06de27
4 changed files with 75 additions and 0 deletions
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@ -4,6 +4,9 @@ class UploadsController < ApplicationController

  def create
    type = params.require(:type)
+
+    raise Discourse::InvalidAccess.new unless type =~ /^[a-z\-\_]{1,100}$/
+
    file = params[:file] || params[:files].try(:first)
    url = params[:url]
    client_id = params[:client_id]
@ -73,6 +76,7 @@ class UploadsController < ApplicationController
      # convert pasted images to HQ jpegs
      if filename == "blob.png" && SiteSetting.convert_pasted_images_to_hq_jpg
        jpeg_path = "#{File.dirname(tempfile.path)}/blob.jpg"
+        OptimizedImage.ensure_safe_paths!(tempfile.path, jpeg_path)
        `convert #{tempfile.path} -quality #{SiteSetting.convert_pasted_images_quality} #{jpeg_path}`
        # only change the format of the image when JPG is at least 5% smaller
        if File.size(jpeg_path) < File.size(tempfile.path) * 0.95